Errors in FIM CM on Large Active Directory
Hi,
I've deployed FIM CM on a very large Active directory (250000+ users) everything has been delegated correctly and I am having two problems when looking up users for smartcard enrollment. All normal usernames are based on the following standards:
Standard Accounts: Abcd123 Service Accounts: svc123 Admin Accounts: adm123
When I try to lookup users based on "abc" i get an 'ADSDSOOBject' Failed with no error message available, result code: -2147016669(0x80072023). I can however successfully search for service and admin accounts. Then I try to do a lookup of the actual
login Name i.e. abcd321 i get the following error: "value does not fall within the expected range"
Can anyone please help
December 10th, 2010 2:41am
Hi Everyone,
We have managed to resolve both problems. Thanks for everyone involved in assisting us. Here are both problems listed with both solutions:
1.
'ADSDSOObject' Failed with no error message available, result code: -2147016669(0x80072023).
This error code simply means that the search scope you are trying to read is too large. Plainly your result set is too large; add additional search parameters
to limit the search scope. By default AD has a search scope limit for queries and the amount of AD objects a FIM CM search can return is limited by these same limits (to my knowledge it is 1000 objects). Unfortunately this value cannot be increased in FIM
CM.
2.
“value does not fall within the expected range” error
In short this error occurs because Authorization Agent account does not have sufficient rights. Check that the account is part of the “Pre-Windows 2000
Compatible Access” Group and that the group rights are not applied differently across the Active Directory. Our problem stemmed from the fact that a set of OU’s had the permission for the group altered from the initially delegated permission. So
if you get this error on a user, you can be sure that there is a permissions issue on the OU where they are located.
Additional notes:
If you have a large amount of users and groups, be sure add your subscribers group to the
CLM.RequestSecurity.Groups key in the Web.config file.
I hope this helps someone out there.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2010 4:58pm